I could really use some help.
I've followed the advice in this answer so that my server is sending Access-Control-Allow-Origin headers for whatever origin is requesting a particular resource. Sadly I'm still getting the same XMLHttpRequest cannot load https://requestedUrl. Origin https://originUrl is not allowed by Access-Control-Allow-Origin error in the browser.
The header is definitely being set. I've copied the provided middleware code-snippet exactly and it is definitely being run. Running out of ideas to look into.
Any thoughts would be very much appreciated.
The problem was twofold.
Firstly I wasn't sending Access-Control-Allow-Credential. Secondly, once Access-Control-Allow-Credential is being sent, Access-Control-Allow-Origin cannot be *.